Token-nya Disimpan di Notepad: Ketika Developer Jadi Celah Bocornya SATUSEHAT ( Token API Disimpan Sembarangan )

🔀 Read in English 🇬🇧

Selamat Datang di Hajriah Fajar: Hidup Sehat & Cerdas di Era Digital

Token-nya Disimpan di Notepad: Ketika Developer Jadi Celah Bocornya SATUSEHAT

Kita mulai dari sebuah meja kerja. Lengkap dengan kopi dingin bekas semalam, sticky notes di pinggir layar, dan… tab Notepad yang masih terbuka. Isinya? Token API SATUSEHAT. Bukan cerita fiksi. Ini pernah kejadian. Bukan di kementerian, sih (semoga), tapi di vendor software lokal yang lagi ngebut garap integrasi sistem kesehatan.

Lucunya, semua orang di tim bisa akses token itu. Di-share lewat WhatsApp grup. Tanpa password. Tanpa expired. Kayak password WiFi di warung kopi — semua tahu, tapi nggak ada yang tanggung jawab kalau koneksinya lambat.

Dan pertanyaannya bukan "kenapa disimpan di Notepad?", tapi: “Kenapa token ini bisa bocor lewat screenshot?” Yup. Ada satu staf baru yang kirim screenshot error, tapi tab Notepad ikut ke-capture. Hasilnya? Token itu tersebar ke forum debugging terbuka. Dunia tahu. Dunia bisa masuk.

Entah Ini Konyol atau Tragis

Kita sering mikir keamanan data itu urusan "kementerian", "infrastruktur cloud", atau "sistem pusat". Padahal, lubangnya kadang ada di laptop pegawai magang. Token disimpan di Desktop, bukan vault. Kredensial dikirim pakai email biasa, bukan sistem aman.

Dan jangan salah, SATUSEHAT itu bukan aplikasi ecek-ecek. Ini sistem nasional. Menyatukan rekam medis dari seluruh Indonesia, menghubungkan rumah sakit, puskesmas, dan klinik swasta dalam satu platform yang sama. Bayangin kalau ada yang bisa akses API-nya tanpa izin.

Kutipan yang Bikin Dahi Berkerut

“Mas, kita simpen token-nya di mana ya? Tadi sih masih di folder 'test' yang di zip sama dokumentasi awal.”
— Seorang developer vendor integrasi, 2023

“Kalau sudah token-nya bocor, nggak usah heran kalau ada yang bisa tarik data pasien dari luar. Itu bukan hack, itu undangan.”

Kenapa Ini Bisa Terjadi?

Karena budaya kerja kita kadang lebih cepet dari akal sehat. Ngebut deploy. Ngebut integrasi. Tapi lupa: token API itu kayak kunci rumah. Kalau hilang, orang bisa masuk meski rumahnya pakai pintu baja. Dan lucunya lagi, token itu sering dikasih masa berlaku 30 hari. Tapi di lapangan? Token tetap aktif selama berbulan-bulan.

Pernah ada kasus — walau bukan di SATUSEHAT — token admin yang diembed di aplikasi mobile belum sempat di-rotasi selama setahun. Lalu aplikasinya dibongkar pakai APKTool, dan boom — ada akses ke data sensitif.

Ini Tentang Rasa Percaya

Bukan cuma soal teknis. Ini juga soal budaya. Developer nggak diberi pelatihan dasar tentang penyimpanan kredensial. Tim QA punya akses penuh karena dianggap "butuh test". Dan manajer proyek kadang lebih takut deadline dari pada data breach.

Masalahnya bukan niat jahat. Tapi kelalaian struktural. SOP yang nggak ada. Sistem monitoring yang nggak dihidupkan. Dan log audit yang nggak pernah dibaca. Kalau semua akses dianggap sah asal orangnya pakai ID card, ya wajar kalau data bocor diam-diam.

Solusi yang Kadang Terlalu Sederhana untuk Dipraktikkan

1. Simpan token di secret vault, bukan file .txt Misalnya pakai HashiCorp Vault, AWS Secrets Manager, atau tools lain yang punya enkripsi bawaan. 2. Gunakan token jangka pendek Token harus bisa expired otomatis. Kalau bisa, hanya aktif 1–2 jam, bukan 1 minggu. 3. Audit akses API secara reguler Buat log, dan benar-benar baca log itu. Jangan cuma disimpan buat formalitas. 4. Edukasi developer dan QA Workshop ringan tentang “credential hygiene” bisa menyelamatkan satu ekosistem digital. 5. Stop kirim screenshot sembarangan Blur bagian sensitif sebelum kirim bug report. Jangan percaya Slack/Telegram 100%.

Penutup yang Gak Nyaman tapi Perlu

SATUSEHAT bisa jadi platform kesehatan nasional terbaik — tapi tetap rapuh kalau budaya IT di lapangan masih kayak zaman Windows XP bajakan. Kalau token masih disimpan di Notepad, artinya kita ngasih kunci rumah ke siapa pun yang iseng buka folder Desktop.

Kamu kerja di vendor RME? Atau di RSUD yang sedang proses integrasi? Coba cek: token API-mu ada di mana sekarang?

Dan semoga, tulisan absurd ini bisa bikin kita semua lebih waras di tengah deadline dan SOP dadakan.

Welcome to Hajriah Fajar: Living Smart & Healthy in the Digital Age

Token Saved in Notepad: When a Developer Becomes SATUSEHAT's Weakest Link

Let’s start with a desk. Cold coffee, crumpled sticky notes, and a Notepad window still open. What’s inside? An API token for SATUSEHAT. True story. Not from the ministry itself (hopefully), but from a local software vendor racing against deadlines to finish integration with Indonesia’s national health system.

The funny part? Everyone in the team had access to that token. Shared via WhatsApp group. No password. No expiration. Just like the café Wi-Fi password stuck on the wall — everyone knows it, but no one takes responsibility when it goes haywire.

And the question isn’t “Why save it in Notepad?” — the real question is: “Why did it leak via screenshot?” Yup. A new intern sent a screenshot of a bug, and the Notepad window was caught in the shot. Next thing you know? The token was floating around on public forums. The world saw it. The world could enter.

Somewhere Between Silly and Alarming

We tend to think data breaches happen because of “the cloud”, “firewalls”, or “central systems”. But more often, the hole is on a dusty laptop in some dusty backroom. Tokens stored on the Desktop. Credentials sent through plain email. Audit logs never reviewed.

SATUSEHAT isn’t just another health app. It’s the backbone of our national health data — integrating medical records from hospitals, clinics, and health centers all across Indonesia. Imagine if someone could tap into that via one forgotten token.

Things People Really Said

“Bro, where did we store the token again? I think it was in that ‘test’ folder we zipped with the initial doc.”
— A vendor developer, 2023

“Once your token leaks, don’t be surprised if someone starts pulling patient data. That’s not hacking. That’s an invitation.”

Why This Happens (Too Often)

Because our work culture often outruns our security sense. Devs sprint toward deadlines. QA rushes deployments. Project managers fear project delays more than they fear data exposure.

What’s worse: many tokens don’t even expire. I once saw a mobile app that stored an admin token embedded in plain JavaScript. The token was valid for over a year. The APK was cracked with a free tool — access granted to sensitive health records. No hacking genius required.

This Isn’t Just Tech — It’s Trust

We think breaches are caused by bad people. But more often, they’re caused by well-meaning folks who weren’t trained. Developers who didn’t know better. QA teams with full access “just in case”. And system admins who never rotated keys because “we didn’t want to break anything”.

It’s not about bad intentions. It’s about broken systems. About shared folders without protection. About secrets passed around like candy during a hackathon. And once you lose control of who has the keys, well... anyone can come knocking.

So What Can We Actually Do?

1. Store tokens in proper vaults, not in .txt files
Use tools like HashiCorp Vault or AWS Secrets Manager to keep secrets encrypted and auditable. 2. Use short-lived tokens with expiry
Ideally, each token should last no more than a few hours. If one leaks, damage is minimal. 3. Audit API access — and read the logs
Don’t just collect logs. Look at them. Spot anomalies. Flag weird patterns. 4. Train your devs (and QA) in credential hygiene
Just one afternoon of workshop can prevent months of damage. 5. Don’t share screenshots with sensitive info
If you must report a bug, blur out tokens, patient IDs, or anything risky. It’s not that hard. Seriously.

Not a Feel-Good Ending, But a Needed One

SATUSEHAT is a beautiful initiative. But no amount of fancy architecture will work if people still store their master keys in a file called “token.txt” on their Desktop.

If you're working with health tech in Indonesia — maybe at a local clinic, a software vendor, or a sleepy IT room in a district hospital — take 2 minutes. Ask yourself:

Where is our API token right now? Who has access to it? Can a stranger screenshot it by accident?

This isn’t just about technical fixes. It’s about building a culture where carelessness isn’t normal — and where security isn’t just a checkbox at the end of the sprint.

Until then, the next time someone saves a token in Notepad, remember: they didn’t just save it. They exposed an entire health system.